Monday, December 20, 2010

The 6th Circuit Court of Appeals ruled on December 14th that the defendant had a reasonable expectation of privacy in his email stored by his Internet Service Provider and that the government violated his 4th Amendment rights by conducting warrantless searches of his email. However, due to the government’s good faith reliance on the Stored Communications Act, the emails did not have to be excluded in a trial against him. The case highlights the need to modernize the Electronic Communications Privacy Act, which includes the Stored Communications Act at issue.

Steven Warshak owned and operated small businesses that sold Enzyte, an herbal supplement. His companies had annual sales of $250 million and featured a media campaign that included television ads for Smiling Bob. However, the company also used an auto-ship feature that continued to send the customer products until the customer cancelled the subscription, which resulted in 1,500 complaints to the Better Business Bureau. The companies also concocted plans to bury the disclosure regarding the auto-ship feature. As a result, the companies ran into chargeback issues and had a merchant account terminated at one point. This led to schemes to decrease the percentage of chargebacks by splitting transactions into two, and then into three, and even creating bogus transactions on Warshak’s personal credit cards to balance out the chargebacks.

To build the case against him, the government obtained nearly 27,000 emails from Warshak's ISP without a warrant but relied on the SCA, which permits a governmental entity to compel an ISP to disclose the contents of electronic communications. Over a year after they obtained the emails, the government notified Warshak about the access to his email, as required under the SCA. Thus, Warshak obtained an injunction against the collection of his email in the future. Meanwhile, a grand jury in the Southern District of Ohio returned a 112-count indictment against Warshak and co-defendants on charges of mail, wire, and bank fraud, and money laundering, amongst other crimes. After a trial based on the emails and other evidence, Warshak was sentenced to 25 years imprisonment and ordered to surrender nearly half a billion in proceeds.

During his first visit, in 2007, the Circuit Court reviewed the injunction issued by the district court “enjoin[ing] additional seizures of e-mails from an ISP account of any resident of the Southern District of Ohio without notice to the account holder and an opportunity for a hearing.” Initially, the 6th Circuit slightly modified this injunction, but an en banc panel, in 2008, reviewed this decision and vacated it on ripeness grounds. This latest 6th Circuit opinion is Warshak’s third visit and ripeness is not an issue because he has already been convicted. Moreover, two members of this most recent panel were part of the en banc panel that had vacated the 2007 decision, which suggests a similar result in the event of an en banc review.

On this latest visit to the 6th Circuit, Warshak, once again, argued that the government’s seizure of his private emails from his ISP constituted a violation of the 4th Amendment prohibition on unreadable searches and seizures. The Circuit Court first analyzed Warshak’s subjective expectation of privacy and easily found it to be satisfied in the case. The Circuit Court then turned to whether society is willing to recognize Warshak’s expectation of privacy in his email as reasonable. The court noted that “[s]ince the advent of email, the telephone call and the letter have waned in importance, and an explosion of Internet-based communication has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away.” After reviewing Supreme Court precedent relating to communication by phone and letter, the court then stated that “[i]f we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment.”

The Circuit Court then addressed the government’s argument that Warshak’s agreement with his ISP reserved a right to access Warshak’s email. However, the Circuit Court countered that neither the ability of someone to intercept the communication nor the right of access diminished the reasonableness of the user’s expectation of privacy. Electronic Frontier Foundation’s amicus brief proved useful for this part of the opinion as it pointed out that even telephone companies have similar provisions in their agreements with their subscribers. Nevertheless, the Circuit Court also stated that an ISP’s “intention to ‘audit, inspect, and monitor’ its subscribers’ email . . . might be enough to render an expectation of privacy unreasonable.” Nevertheless, the court held that:

a subscriber enjoys a reasonable expectation of privacy in the contents of emails “that are stored with, or sent or received through, a commercial ISP.” . . . The government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause. Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

Despite this unconstitutionality, the government relied in good faith on the SCA while obtaining Warshak’s emails. Therefore, the Circuit Court upheld the trial court’s refusal to exclude the evidence against him. As a result, at least in the 6th Circuit, the government should not be able to rely in good faith on the SCA to obtain emails without warrants in the future.

The SCA has been under criticism for some time. Earlier this year, Digital Due Process Coalition, issued principles regarding the need to update the ECPA, which includes the SCA at issue in this case. It is no surprise that companies such as Microsoft, Google, AT & T, Facebook, and others are increasingly concerned with compliance with this aging legislation. A judicial solution may provide a much needed, but narrow, remedy to re-introduce the constitutional protections to electronic communications. However, a legislative solution would likely be more efficient as it would resolve other issues pertaining to location information, which is a natural part of mobile phone internet access, and private Facebook messages, which are not all that different from emails. Therefore, this holding should reinvigorate the debate concerning updates to ECPA that would better adapt constitutional protections to changing technologies, allow businesses to comply more efficiently with the law without losing consumer confidence, and still provide law enforcement with the capabilities to monitor communications while staying within the boundaries of the protections of the Constitution.

Wednesday, December 01, 2010

The Federal Trade Commission released a preliminary staff report titled Protecting Consumer Privacy in an Era of Rapid Change that proposes three new principles of Privacy by Design, Simplified Choice, and Greater Transparency to supplement its notice/choice and harm based model to address the commercial use of consumer information. The proposed scope of the staff report is all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer, or other device. When finalized, this framework may require major changes to the way companies draft, present, and abide by privacy notices and the way consumers make choices when their information is collected. However, the report is only preliminary and the FTC is seeking comments on the proposed framework, including whether it should recommend legislation in this area if the private sector is unable to implement a uniform effective choice mechanism.

In its news release, the FTC states that the it is not satisfied with “industry efforts to address privacy through self-regulation,” which “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The report also suggests that the FTC’s notice/choice and harm based model's shortcomings coupled with the advances in technology necessitate a new framework. The FTC came up with these new principles based partly on the three roundtables conducted in the past year, which found that collection of consumer information was ubiquitous, consumers did not understand this collection and could not make meaningful choices, privacy was important to consumers, and the distinction between personally identifiable information and anonymous information was blurring.

Using this new framework, under the Privacy by Design principle, the FTC proposes that companies incorporate substantive privacy protections into their practices, including data security, collection limitations, retention practices, data accuracy, training, and assigning employees to oversee privacy issues.

Under the Simplified Choice principle, FTC suggests that companies need not provide notice regarding commonly accepted practices, such as service fulfillment, internal operations, fraud prevention legal compliance, and first-party marketing. However, the FTC suggests that companies should offer consumers informed, meaningful, clear, concise, just-in-time choices for uses that are not commonly accepted. The FTC also suggests that Do Not Track technology may have to be implemented to accomplish this goal in the behavioral advertising arena, but that its implementation will have to differ from the Do Not Call registry due to the differences in technology.

Under the Greater Transparency principle, the FTC suggests that privacy notices should be clearer, shorter, and standardized. Additionally, under this principle, companies should provide consumers with reasonable access to their information, obtain express consent before using consumer information in a materially different manner than claimed when the information was collected, and educate consumers. The FTC recommends that companies standardize the format and terminology of these notices and offers GLBA notices as guidance. Therefore, the new framework may require the rewrite of all online privacy policies, especially if it requires standardized forms and terminology. At a minimum, it may require privacy policies to be adjusted for a layered approach.

At times, the report raises more questions than it answers. The report includes 6 pages of questions for comments to be submitted to the FTC.It also leaves the legislative door open, but recommends robust, enforceable self-regulation. It is also broad in scope. It mentions everything from deep packet inspection to flash cookies to HTML 5 evercookies.

Nevertheless, the FTC reiterates its willingness to “take action against companies that cross the line with consumer data and violate consumers’ privacy – especially when children and teens are involved.” The day before the announcement of the staff report, the FTC also announced an enforcement action against EchoMetrix regarding the disclosure of children’s information to third party marketers without adequate disclosure to parents.

This web site provides general information about our firm for your convenience. This website and its content do not establish an attorney/client relationship between us. Information on the site is not legal advice.
Do not send confidential information to any of our lawyers without first obtaining our permission.